OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

dss-x-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [dss-x-comment] Questions about DSS-X Local Signature Computation Version 1.0

Dear Aron,

We have discussed your feedback; below our reply.

Regarding the use of the Profile attribute:
We understand that the Profile attribute is normally used the specifion
of the type of document that is requested, such as
"urn:oasis:names:tc:dss:1.0:profiles:XAdES" in case of XAdES.

But the use of (for instance)
"urn:oasis:names:tc:dss:1.0:profiles:XAdES" as a Profile attribute would
indicate that it is not a local signature profile, so it cannot be a
SECOND SignRequest as specified by the local signature profile.

The SECOND SignRequest has some addional elements which are not present
in the DSS-core specification (not as an optional input), such as the
element SignatureObject, and it may assume a certain state of the
Digital Signature Service (for instance if the document is temporarily
stored in the Digital Signature Service, obtained during the FIRST
SignRequest). The use of these elements and the expected behavior of the
Digital Signature Service apply only to the local signature profile.

To indicate this ‘different’ setup of the (second) SignRequest, a proper
value for the Profile attribute is needed: in this case

Fortunately, the DSS-core specification allows for the use of additional

2.8.4 Optional Input <AdditionalProfile>
The <AdditionalProfile> element can appear multiple times in a request.
It indicates additional profiles which modify the main profile specified
by the Profile attribute (thus the Profile attribute MUST be present;
see sections 3.1 and 4.1 for details of this attribute). The
interpretation of additional profiles is determined by the main profile.

We therefore propose to add an additional description/indication for the
use of the AdditionalProfile element.

This way, it should be possible to specify a second profile, such as:
in case of XAdES documents.

As mentioned earlier (and included for completeness):

Regarding the XSD
The XSD was not updated to the changes in the document, unfortunately
(the reference [LocalSigXSD] as found in the document, was also not

The element "RequestDocumentHash" has to be used, as presented in the
document. The XSD will be corrected as well as the reference
[LocalSigXSD] in the document.

With kind regards,

Ernst Jan

Szabó Áron wrote:
> Dear Ernst,
> thanks for your quick answer. Beyond XSD modification, could you also explain the Profile-issue? I mean, as I understand the described workflow, in two-step-approach case, the result of SECOND SignRequest (identified by Profile attribute) should be XAdES, PAdES, CAdES etc. structure into which the posted PKCS#1 encoded hash (e.g. SignatureValue element of XMLDSIG/XAdES) shall be embedded.
> BR, Aron
> ---
> Dear Aron,
> Thank you very much for your comments.
> A quick look at the XSD made it clear to me that the XSD was unfortunately not updated with the change regarding the use of RequestDocumentHash (which should be in the XSD).
> We will discuss your remarks in our team and will provide a detailed response as soon as possible.
> With kind regards
> Ernst Jan van Nigtevecht
> Szabó Áron wrote:
>> Dear Members,
>> I am writing in connection with Local Signature Computation Version 1.0 specification.
>> I have seen the e-mail sent on 2015-08-25 about the announcement of publication the specification Version 1.0. I looked through the related descriptions and schemas and I found that somehow the "final" version of XML schema does not correspond to "final" version of specification. I could perform XML schema validations on sample XML files by using "csprd02". E.g. from "final" XML schema the "RequestDocumentHash" is missing, it contains "ReturnDocumentHash". Also there was a comment about this in "Appendix E" but it is not clear which version may be the last: 'Processed the comments on CSD 01; see "https://www.oasis-open.org/committees/document.php?document_id=53473&wg_abbrev=dss-x";. Renamed localsig:ReturnDocumentHash into localsig:RequestDocumentHash (in Section in the code).' So, shall I use "RequestDocumentHash" or "ReturnDocumentHash" in SignRequest messages?
>> The other thing that was interesting that at Two-Step Approach operation mode (identified by: "http://docs.oasis-open.org/dss-x/ns/localsig/two-step-approach";), the "Profile" attribute at the SECOND SignRequest MUST also be "http://docs.oasis-open.org/dss-x/ns/localsig";. For the FIRST SignRequest, it is clear, that this identifies that returned value shall be just a simple hash, but at the SECOND SignRequest the client shall identify the finalized type of the result Signature structure which should be e.g. "urn:oasis:names:tc:dss:1.0:profiles:XAdES" in case of XAdES, isn't it?!
>> Anyway, just in general, I can say, that I liked the descriptions of all uses cases in this document. They are all in conformance with NPAPI-free operation modes that are supported by recently used, eIDAS-conform eID systems such as German or Hungarian national eID cards.
>> BR, Aron

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]